Yes, there are people out there that will try to steal your identity, especially if you (the programmer) do something dumb like putting the SID in the query string.

Regenerating the SID (via the new() method) at each and every point is just as dumb and just goes to show that even wikipedia can give bad advise.

The login page is, in most cases, the only place where you explicitly generate the SID via the new() method. All other places uses the module's load() method. After the object has been created, you then apply your checks (is it expired, is it empty, is it coming from the same host, etc). If any one of the checks fails, then delete and flush the session and redirect to the login page.

Normally, the only session info sent to the client is the session ID, however, you can add other info. For example, you could add an item that stores the PID of the script and then when they return confirm that it's still there and matches what is stored on the server. If that fails, then redirect them to the login page.

I'm not exactly sure how to respond at this point. The main emphasis of the link you provided as the reason to regenerate a brand new SID at each point dealt with with passing the SID in the query string in an unrealistic scenario.

If that's not the case, then what problem are you trying to resolve?

Since you haven't yet and don't seem to be willing to provide your session related code or a clear explanation of the problem that you need to fix, I don't know what corrections to your code I should suggest.